Jolien, you are DPO of a number of what are called Grant-Endowed Institutions. Those include institutions such as data protection supervisors, but also, for example, Committee P. They are typically not very large organizations and with a very specific assignment. How do you experience working as a DPO in these relatively small organizations? Is it easy to develop a data protection policy?
That largely depends on one organization to the next. One organization already has a higher level of data protection maturity than the next or sometimes works faster than the next. What is interesting to see is that there are not only different maturity levels, but also different possible and simultaneously good paths to data protection compliance.
For example, each organization has its own focus on a domain that it finds slightly more important. For one party it is the exchange of personal data and for the other it is the communication with and to the data subjects.
During the DPO day of 25/05, a survey for DPOs was the focal point, in which they were inquired about their general well-being. What are the most recognizable conclusions from that survey for you?
The most recognizable aspect for me is that about 33% of DPOs can’t let go of their job. On the one hand, this is a positive aspect for me because I am passionate about data protection.
That is why I want to think further ahead and look for ways how I can help organizations to implement the data protection provisions when, for example, one of my recommendations has not had the necessary effect. I often reflect on how I introduced things: did they get it completely, was I clear enough, should I rephrase it? And so on…
On the other hand, after you have given your recommendation and when the organization has decided not to go along with it or to not (entirely) follow up on it, you must dare to let it go. It is ultimately the controller who bears the ultimate responsibility and not the DPO. Moreover, it is not a given that things will stay that way.
I have experienced several times that after a while a recommendation is revoked and the organization will continue to work with it. The process of growing and maturing should therefore not be underestimated. This means that as a DPO you must show the necessary patience.
Another very recognizable result for me is that DPOs are happier when they are in a network and have received targeted data protection training. As a DPO you are in any case stronger if you can follow the necessary training and if you continue to educate, which is an obligation under the GDPR. When you can coordinate your work with other DPOs in networks or workgroups, you will not only learn from it, but it helps you to be more resilient and to grow mentally in the job.
Do you also see more general conclusions that we can draw from the survey to make the job of DPO more attractive?
One of the most important things is more cooperation among the DPOs. Five years ago, I sometimes had the feeling that certain DPOs saw each other as competitors, when in fact we all ultimately perform the same tasks. It can be very instructive to see how another DPO conveys a particular recommendation, for example.
I also think that there should be room for different profiles and domains when working together. We must get rid of the idea that a DPO must have a legal and/or ICT background. The role and tasks of the DPO are about so much more, like for example communication skills and process management.
The questionnaire demonstrates this, by the way: about 35% of the participants indicated that the diversity of the tasks of the DPO is difficult to achieve. So, we had better collaborate and learn across domains and profiles, right?
Job satisfaction among DPOs in the public sector appears to be slightly lower than in the private sector. However, you do see that DPOs in the government try to cooperate in the performance of their job and the survey shows a positive outlook on their job. Do you often work together with other DPOs in the government? How does that collaboration work and do you notice that most of them are satisfied with themselves?
I work well and closely with the DPO of the Chamber and the Senate and there are several working groups that I am part of at the federal level. I learn a lot from those consultation moments, and it is gratifying to sometimes hear that, as DPOs, we encounter the same challenges that are inherent to the job.
Pouring out your heart about this to each other can help, as well as sometimes joining forces in questioning the same processor. Unfortunately, I know fellow DPOs who have opted for a different job because they experienced too much pressure or found the diversity of the tasks too heavy. I therefore think it is very important to focus on the social-emotional and psychological aspects within the role of the DPO.
Depending on your character, for example, an assertiveness course or just a course in communicating more tactfully, can be very useful.
Although a negative recommendation from a DPO on an intended processing can be annoying for an organization and, as a result, DPOs may be put under some pressure more often not to be too critical about pending processing, the survey does not immediately measure that many DPOs experience pressure from management. Have you ever experienced such pressure? Do you have any tips for getting out of this?
Another thing that I think we should get rid of is negative versus positive recommendations from the DPO. I give recommendations in which I often offer different options: “if you do this, then…”, “if you do that, then…”, and so on. This is neither positive nor negative for me, but I rather see it as guiding them to make the choices while respecting the data protection provisions.
And yes, I’ve been in situations where I experienced pressure. The most important thing is to remain objective and find out why they are putting that pressure on you. Maybe there’s something else behind it that you don’t know about (yet)? Continuing to ask questions and collecting as much information as possible can make your job easier in various areas because you can then better understand the context (including the organizational culture).
Another tip is to repeat your role with the necessary references to the GDPR. That way, you help them to understand why your recommendation certainly matters, but they are also documented. In addition, you must beyond a certain point and therefore not linger too long at a recommendation as to why, for example, they are not yet sufficiently open to what that recommendation means.
As I said, it may come back over time and the ‘fight’ will be less heavy, because time has passed, and the organization has also changed or grown.